Oracle安全管理-listener监听配置白名单以及黑名单

使用netmgr进行配置，以及监听密码：

在上面拒绝的访问客户以及可以访问的客户机，写入IP地址即可。

进行监听密码配置。

重启监听程序 

C:\Users\Administrator>lsnrctl stop

LSNRCTL for 64-bit Windows: Version 12.2.0.1.0 - Production on 26-7月 -2019 17:1
4:37

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=UP57VFMG5AH8GDS)(PORT=1521)
))
命令执行成功

C:\Users\Administrator>lsnrctl start

LSNRCTL for 64-bit Windows: Version 12.2.0.1.0 - Production on 26-7月 -2019 17:1
4:40

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

启动tnslsnr: 请稍候...

TNSLSNR for 64-bit Windows: Version 12.2.0.1.0 - Production
系统参数文件为D:\app\Administrator\virtual\product\12.2.0\dbhome_1\network\admin
\listener.ora
写入D:\app\Administrator\virtual\product\12.2.0\dbhome_1\log\diag\tnslsnr\UP57VF
MG5AH8GDS\listener\alert\log.xml的日志信息
监听: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=UP57VFMG5AH8GDS)(PORT=1521)))
监听: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))

正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=UP57VFMG5AH8GDS)(PORT=1521)
))
LISTENER 的 STATUS
------------------------
别名                      LISTENER
版本                      TNSLSNR for 64-bit Windows: Version 12.2.0.1.0 - Produ
ction
启动日期                  26-7月 -2019 17:14:46
正常运行时间              0 天 0 小时 0 分 4 秒
跟踪级别                  off
安全性                    ON: Local OS Authentication
SNMP                      OFF
监听程序参数文件          D:\app\Administrator\virtual\product\12.2.0\dbhome_1\n
etwork\admin\listener.ora
监听程序日志文件          D:\app\Administrator\virtual\product\12.2.0\dbhome_1\l
og\diag\tnslsnr\UP57VFMG5AH8GDS\listener\alert\log.xml
监听端点概要...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=UP57VFMG5AH8GDS)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
服务摘要..
服务 "CLRExtProc" 包含 1 个实例。
  实例 "CLRExtProc", 状态 UNKNOWN, 包含此服务的 1 个处理程序...
命令执行成功
查看sqlnet.ora

# sqlnet.ora Network Configuration File: D:\app\Administrator\virtual\product\12.2.0\dbhome_1\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to 
# install "Software Only", this file wont exist and without the native 
# authentication, they will not be able to connect to the database on NT.

TCP.VALIDNODE_CHECKING = YES

SQLNET.AUTHENTICATION_SERVICES= (NTS)

TCP.EXCLUDED_NODES= (10.228.246.120, 10.228.246.120)

ADR_BASE = D:\app\Administrator\virtual\product\12.2.0\dbhome_1\log

 

白名单配置 

tcp.invited_nodes白名单配置
tcp.validnode_checking=yes
sqlnet.encryption
SQLNET.EXPIRE_TIME=10
tcp.invited_nodes=(10.2.20.25,10.2.60.20,10.2.60.0/24,10.2.200.0/22)  --一定要写自己主机的IP地址啊@！！！！！！！！！！！
sqlnet.inbound_connect_timeout=30

使用10.2.248.x网段进行连接主机数据库如下：

bash-3.2$ sqlplus system/cmcc#2019@eoms39               

SQL*Plus: Release 11.2.0.4.0 Production on Wed Dec 9 15:19:54 2020

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

ERROR:
ORA-12537: TNS:connection closed

在sqlnet.ora中添加如下开放限制
tcp.invited_nodes=(10.2.201.25,10.2.60.208,10.2.60.0/24,10.2.200.0/22,10.2.248.0/24)

 

重启监听

lsnrctl stop

lsnrctl start

 

重试连接
bash-3.2$ sqlplus system/cc#2019@eo39

SQL*Plus: Release 11.2.0.4.0 Production on Wed Dec 9 15:21:14 2020

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

ERROR:
ORA-28002: the password will expire within 7 days

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>